Example 1 with LwM2MClientCredentials
use of org.thingsboard.server.transport.lwm2m.secure.credentials.LwM2MClientCredentials in project thingsboard by thingsboard.
the class TbLwM2MDtlsCertificateVerifier method verifyCertificate.
@Override
public CertificateVerificationResult verifyCertificate(ConnectionId cid, ServerNames serverName, InetSocketAddress remotePeer, boolean clientUsage, boolean verifySubject, boolean truncateCertificatePath, CertificateMessage message) {
CertPath certChain = message.getCertificateChain();
if (certChain == null) {
// We trust all RPK on this layer, and use TbLwM2MAuthorizer
PublicKey publicKey = message.getPublicKey();
return new CertificateVerificationResult(cid, publicKey, null);
} else {
try {
boolean x509CredentialsFound = false;
X509Certificate[] chain = certChain.getCertificates().toArray(new X509Certificate[0]);
for (X509Certificate cert : chain) {
try {
if (!skipValidityCheckForClientCert) {
cert.checkValidity();
}
TbLwM2MSecurityInfo securityInfo = null;
if (staticCertificateVerifier != null) {
HandshakeException exception = staticCertificateVerifier.verifyCertificate(cid, serverName, remotePeer, clientUsage, verifySubject, truncateCertificatePath, message).getException();
if (exception == null) {
try {
String endpoint = config.getTrustSslCredentials().getValueFromSubjectNameByKey(cert.getSubjectX500Principal().getName(), "CN");
if (StringUtils.isNotEmpty(endpoint)) {
securityInfo = securityInfoValidator.getEndpointSecurityInfoByCredentialsId(endpoint, CLIENT);
}
} catch (LwM2MAuthException e) {
log.trace("Certificate trust validation failed.", e);
}
} else {
log.trace("Certificate trust validation failed.", exception);
}
}
// if not trust or cert trust securityInfo == null
String strCert = SslUtil.getCertificateString(cert);
String sha3Hash = EncryptionUtil.getSha3Hash(strCert);
if (securityInfo == null || securityInfo.getMsg() == null) {
try {
securityInfo = securityInfoValidator.getEndpointSecurityInfoByCredentialsId(sha3Hash, CLIENT);
} catch (LwM2MAuthException e) {
log.trace("Failed find security info: {}", sha3Hash, e);
}
}
ValidateDeviceCredentialsResponse msg = securityInfo != null ? securityInfo.getMsg() : null;
if (msg != null && StringUtils.isNotEmpty(msg.getCredentials())) {
LwM2MClientCredentials credentials = JacksonUtil.fromString(msg.getCredentials(), LwM2MClientCredentials.class);
if (!credentials.getClient().getSecurityConfigClientMode().equals(LwM2MSecurityMode.X509)) {
continue;
}
X509ClientCredential config = (X509ClientCredential) credentials.getClient();
String certBody = config.getCert();
String endpoint = config.getEndpoint();
if (StringUtils.isBlank(certBody) || strCert.equals(certBody)) {
x509CredentialsFound = true;
DeviceProfile deviceProfile = msg.getDeviceProfile();
if (msg.hasDeviceInfo() && deviceProfile != null) {
sessionStorage.put(endpoint, new TbX509DtlsSessionInfo(cert.getSubjectX500Principal().getName(), msg));
try {
securityStore.putX509(securityInfo);
} catch (NonUniqueSecurityInfoException e) {
log.trace("Failed to add security info: {}", securityInfo, e);
}
break;
}
} else {
log.trace("[{}][{}] Certificate mismatch. Expected: {}, Actual: {}", endpoint, sha3Hash, strCert, certBody);
}
}
} catch (CertificateEncodingException | CertificateExpiredException | CertificateNotYetValidException e) {
log.error(e.getMessage(), e);
}
}
if (!x509CredentialsFound) {
AlertMessage alert = new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.INTERNAL_ERROR);
throw new HandshakeException("x509 verification not enabled!", alert);
}
return new CertificateVerificationResult(cid, certChain, null);
} catch (HandshakeException e) {
log.trace("Certificate validation failed!", e);
return new CertificateVerificationResult(cid, e, null);
}
}
}
Also used :
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
PublicKey(java.security.PublicKey)
LwM2MAuthException(org.thingsboard.server.transport.lwm2m.server.client.LwM2MAuthException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
X509Certificate(java.security.cert.X509Certificate)
CertificateVerificationResult(org.eclipse.californium.scandium.dtls.CertificateVerificationResult)
X509ClientCredential(org.thingsboard.server.common.data.device.credentials.lwm2m.X509ClientCredential)
DeviceProfile(org.thingsboard.server.common.data.DeviceProfile)
NonUniqueSecurityInfoException(org.eclipse.leshan.server.security.NonUniqueSecurityInfoException)
LwM2MClientCredentials(org.thingsboard.server.transport.lwm2m.secure.credentials.LwM2MClientCredentials)
CertPath(java.security.cert.CertPath)
HandshakeException(org.eclipse.californium.scandium.dtls.HandshakeException)
ValidateDeviceCredentialsResponse(org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse)
AlertMessage(org.eclipse.californium.scandium.dtls.AlertMessage)
Example 2 with LwM2MClientCredentials
use of org.thingsboard.server.transport.lwm2m.secure.credentials.LwM2MClientCredentials in project thingsboard by thingsboard.
the class LwM2mCredentialsSecurityInfoValidator method createSecurityInfo.
/**
* Create new SecurityInfo
*
* @return SecurityInfo
*/
private TbLwM2MSecurityInfo createSecurityInfo(String endpoint, ValidateDeviceCredentialsResponse msg, LwM2mTypeServer keyValue) {
TbLwM2MSecurityInfo result = new TbLwM2MSecurityInfo();
LwM2MClientCredentials credentials = JacksonUtil.fromString(msg.getCredentials(), LwM2MClientCredentials.class);
if (credentials != null) {
result.setMsg(msg);
result.setDeviceProfile(msg.getDeviceProfile());
result.setEndpoint(credentials.getClient().getEndpoint());
// if ((keyValue.equals(CLIENT))) {
switch(credentials.getClient().getSecurityConfigClientMode()) {
case NO_SEC:
createClientSecurityInfoNoSec(result);
break;
case PSK:
createClientSecurityInfoPSK(result, endpoint, credentials.getClient());
break;
case RPK:
createClientSecurityInfoRPK(result, endpoint, credentials.getClient());
break;
case X509:
createClientSecurityInfoX509(result, endpoint);
break;
default:
break;
}
if (keyValue.equals(BOOTSTRAP)) {
LwM2MBootstrapConfig bootstrapCredentialConfig = new LwM2MBootstrapConfig(((Lwm2mDeviceProfileTransportConfiguration) msg.getDeviceProfile().getProfileData().getTransportConfiguration()).getBootstrap(), credentials.getBootstrap().getBootstrapServer(), credentials.getBootstrap().getLwm2mServer());
result.setBootstrapCredentialConfig(bootstrapCredentialConfig);
}
}
return result;
}
Also used :
LwM2MBootstrapConfig(org.thingsboard.server.transport.lwm2m.bootstrap.secure.LwM2MBootstrapConfig)
LwM2MClientCredentials(org.thingsboard.server.transport.lwm2m.secure.credentials.LwM2MClientCredentials)
Aggregations
LwM2MClientCredentials (org.thingsboard.server.transport.lwm2m.secure.credentials.LwM2MClientCredentials)2
PublicKey (java.security.PublicKey)1
CertPath (java.security.cert.CertPath)1
CertificateEncodingException (java.security.cert.CertificateEncodingException)1
CertificateExpiredException (java.security.cert.CertificateExpiredException)1
CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)1
X509Certificate (java.security.cert.X509Certificate)1
AlertMessage (org.eclipse.californium.scandium.dtls.AlertMessage)1
CertificateVerificationResult (org.eclipse.californium.scandium.dtls.CertificateVerificationResult)1
HandshakeException (org.eclipse.californium.scandium.dtls.HandshakeException)1
NonUniqueSecurityInfoException (org.eclipse.leshan.server.security.NonUniqueSecurityInfoException)1
DeviceProfile (org.thingsboard.server.common.data.DeviceProfile)1
X509ClientCredential (org.thingsboard.server.common.data.device.credentials.lwm2m.X509ClientCredential)1
ValidateDeviceCredentialsResponse (org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse)1
LwM2MBootstrapConfig (org.thingsboard.server.transport.lwm2m.bootstrap.secure.LwM2MBootstrapConfig)1
LwM2MAuthException (org.thingsboard.server.transport.lwm2m.server.client.LwM2MAuthException)1
